Dirty Frag

Dirty Frag: A Universal Linux Local Privilege Escalation via ESP and RxRPC (CVE-2026-43284 / CVE-2026-43500)

guy-gilad Ran Mahalal

By Guy Gilad & Ran Mahalal

May 08, 2026

Executive Summary

Dirty Frag is a new Linux kernel local privilege escalation that combines two kernel bugs – one in the IPsec subsystem and one in RxRPC, giving any unprivileged local user a root shell on every major distribution. The exploit is reliable and lasts until a reboot or cache fault

Public PoC code has been released, the upstream patch only covers half of the chain. You should definitely mitigate today.

What Is Dirty Frag and How Does It Work?

Dirty Frag is the latest entry in the Dirty Pipe (2022) / Copy Fail (2025) family, and follows the same pattern. An unprivileged process uses `splice()` to pin a read-only page from the kernel’s page cache, then steers it into a subsystem that runs crypto in place on the buffer. The subsystem assumes the memory is its own and writes a few bytes – landing them directly in the victim file’s page cache. From that point on, every reader on the host sees the modified copy in RAM, while the file on disk is untouched until `drop_caches` or a reboot.

There are two independent write primitives, paired for full distro coverage:

  • xfrm-ESP (CVE-2026-43284) –  The IPsec receive path decrypts the buffer directly on the spliced page, and the attacker controls the bytes that get written. Requires `CAP_NET_ADMIN`, which the attacker obtains by entering a user namespace.
  • RxRPC (CVE-2026-43500) – The RxRPC receive path decrypts an 8-byte block of the buffer directly on the spliced page. The cipher is weak (56-bit and deterministic), so the attacker can brute-force a key offline that decrypts to their chosen bytes. No namespace required.


The end-to-end flow is the same for both variants. The attacker opens the target file read-only – `/usr/bin/su` for ESP, `/etc/passwd` for RxRPC – and uses `splice()` to plant its page-cache page into the send buffer of a local socket. They then send that buffer back to themselves over loopback (ESP-in-UDP on port 4500, or an `AF_RXRPC` connection), which makes the kernel run its receive-side crypto and write into the pinned page. The ESP variant uses that write to overlay `/usr/bin/su` with a tiny `setuid(0); execve(“/bin/sh”)` ELF; the RxRPC variant blanks root’s password field in `/etc/passwd`, letting `pam_unix.so nullok` pass `su -` through without a prompt.

Is Dirty Frag Actively Exploited?

A working PoC and full technical write-up went public on 2026-05-07. CVE-2026-43284 was assigned and patched in the upstream Linux kernel on 2026-05-08.
https://github.com/V4bel/dirtyfrag

We have not observed confirmed in-the-wild campaigns at the time of writing, but the exploit’s properties – deterministic logic bug, no race window, no kernel panic on failure, very high reliability – make rapid weaponization the expected outcome. Treat this as imminently exploited.

Which Linux Systems Are Affected?

The xfrm-ESP Page-Cache Write vulnerability is in scope from commit cac2661c53f3 (January 17, 2017) through upstream. The RxRPC Page-Cache Write vulnerability is in scope from commit 2dc334f1a63a (June 2023) through upstream.

Dirty Frag has been confirmed to work against popular distribution including:

  • Ubuntu 24.04.4 – kernel 6.17.0-23-generic
  • RHEL 10.1 – kernel 6.12.0-124.49.1.el10_1.x86_64 (advisory states affecting Red Hat Enterprise Linux 10, 9, 8)
  • openSUSE Tumbleweed – kernel 7.0.2-1-default
  • CentOS Stream 10 – kernel 6.12.0-224.el10.x86_64
  • AlmaLinux 10 – kernel 6.12.0-124.52.3.el10_1.x86_64

Cloud relevance: Amazon Linux, EKS worker nodes, GKE Container-Optimized OS, AKS Ubuntu node pools, and most marketplace VM images all run kernels in the affected window by default.

Exposure and Mitigation

Start with a few quick checks on any Linux host to gauge exposure:

  • Identify the running kernel version, then compare against your distro’s advisory.

uname -r 

  • See which of the two attack surfaces is currently resident. Note that on most distros esp4 and esp6 autoload on demand, so absence from lsmod is not a guarantee of safety.

lsmod | grep -E "esp4|esp6|rxrpc" 

  • If this returns 1, the ESP variant is reachable from unprivileged users.

cat /proc/sys/kernel/unprivileged_userns_clone (Ubuntu) 

Once you know what’s exposed, apply the mitigations below in order:

  • Block the vulnerable modules. Until a patched kernel is available, prevent esp4, esp6, and rxrpc from loading and unload them if they’re already in memory:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"


Check the trade-offs first: blacklisting esp4 / esp6 may break IPsec on the host, and removing rxrpc affects AFS environments. Confirm neither is in production use before applying.

  • Patch as soon as a fixed kernel ships. Track vendor advisories and roll updates on first availability
  • Tighten local access paths. Keep SELinux or AppArmor in enforcing mode, and avoid handing out unnecessary capabilities – CAP_NET_ADMIN
  • Check for abnormal activity. Look out for unexpected process execution, privilege escalations and changes to critical system binaries.
  • If exploitation is suspected, flush the page cache
    with

echo 3 > /proc/sys/vm/drop_caches

Modified pages persist in RAM until evicted or the host reboots.

How Upwind Helps

Upwind helps organizations detect and investigate behaviors associated with Dirty Frag exploitation attempts by providing:

  • Correlation between vulnerability exposure and runtime signals, mapping affected kernels to the workloads running on top of them
  • Detection of suspicious local activity associated with kernel privilege escalation
  • Monitoring of abnormal process behavior

By combining runtime detection with infrastructure context, Upwind helps security teams identify exploitation activity earlier and reduce the window between initial access and full host compromise.

Dirty Frag: A Universal Linux Local Privilege Escalation via ESP and RxRPC (CVE-2026-43284 / CVE-2026-43500)

Further Reading

Mini Shai-Hulud npm worm
Research

A Mini Shai-Hulud Has Appeared: Dissecting a Multi-Vector npm Supply Chain Worm

Lidor Machluf

By Lidor Machluf

May 04, 2026

TL;DR: [email protected] is malicious. It uses Bun runtime smuggling for EDR evasion, scrapes GitHub Actions runner memory for secrets, harvests credentials from every major cloud provider and secrets management system, exfiltrates through RSA-4096 encrypted channels, injects a secret-dumping GitHub Actions workflow disguised as Dependabot, poisons every branch of compromised repos with files disguised as Claude […]

Shai-Hulud Strikes Again: intercom-client@7.0.4
Research

[email protected] Supply Chain Attack Enables Credential Theft: Shai-Hulud Strikes Again

Amit Genkin headshot

By Amit Genkin

Apr 30, 2026

Executive Summary [email protected] is a compromised npm package used in a supply chain attack to steal GitHub, npm, and multi-cloud credentials. The malicious version introduces a preinstall hook that executes an obfuscated payload, harvesting secrets and exfiltrating them via GitHub APIs. This activity is part of the Shai-Hulud worm campaign targeting CI/CD pipelines. Detection Summary […]

Mini Shai-Hulud Targets SAP npm Packages
Research

Mini Shai-Hulud Targets SAP npm Packages: CI/CD Publishing Pipeline Abused in Supply Chain Attack

Screenshot 2024-09-25 at 9.12.26 AM

By Avital Harel

Apr 29, 2026

Executive Summary Our research team identified a sophisticated supply chain attack targeting SAP Cloud Application Programming (CAP) framework packages. The campaign demonstrates advanced techniques for compromising trusted publishing pipelines and injecting malicious code directly into enterprise CI/CD workflows. The activity has been attributed to TeamPCP, a financially motivated threat actor known for large-scale supply chain […]